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Members: 

Ailsa Beaton (chair) Non-Executive Director 

Roger Barlow Independent Audit Committee member 
Jane McCall Non-Executive Director 

Attendees: 

ICO 

Elizabeth Denham Information Commissioner 

Paul Arnold Deputy Chief Executive Officer 

Louise Byers Director of Corporate Risk and Governance 
Andrew Hubert Director of Resources 

Joanne Butler Head of Risk & Governance 


Internal Auditors 
Darren Jones Mazars 


External Auditors 


Robert Buysman National Audit Office 

David Eagles BDO 

Sebastian Evans BDO 

Secretariat 

Chris Braithwaite Senior Corporate Governance Manager 
Caroline Robinson Corporate Governance Officer 


1. Introductions and apologies 
1.1. Apologies were received from Sid Sidhu and Peter Cudlip. 


1.2. Ailsa Beaton welcomed Sebastian Evans to his first ICO Audit 
and Risk Committee meeting. 


2, Declaration of interests 
2.1 There were no declarations made. 


3. Matters arising from the previous meeting 


3.1 


The minutes of the previous meeting were agreed and there 
were no outstanding actions. 


4. Deputy Chief Executive Officer’s update 


4.1 


4.2 


4.3 


4.4 


Paul Arnold provided an update on matters relating to the 
ICO’s work including the recent DCMS Select Committee 
meetings, work being carried out in relation to COVID status 
certification, the continued support being provided to staff 
with regard to their wellbeing, the current consultation on 
future of work, business plans and KPIs, and the recruitment 
of the next Information Commissioner. 


A Nominations Committee has recently been introduced and 
this is currently overseeing the recruitment process for the 
replacement of the Independent Audit Committee Member. 


The Committee discussed the timing of the publication of the 
annual report and were keen to ensure that this did not 
coincide with the announcement of the appointment of the 
next Information Commissioner, which may happen in early 
July. 


The Committee members asked for assurance on resilience 
within the Finance Team, especially in relation to the external 
audit. Andrew Hubert and David Eagles confirmed that they 
did not anticipate any delays to the timetable for the audit. 


5. Compliance Arrangements — deep dive 


5.1 


5.2 


5.3 


Louise Byers presented the report to provide assurance to the 
Audit and Risk Committee regarding the ICO’s compliance 
with legislative requirements and identifying key findings and 
recommendations to inform further assurance work, including 
the internal audit plan for 2020/21. 


The Risk & Governance Board has reviewed the report and 
agreed that this exercise would be carried out on an annual 
basis. 


Elizabeth Denham highlighted Environment, Social and 
Governance measures are currently an important issue within 
the private sector and would be interested to receive some 
feedback on the work being carried out by public sector bodies 
in this area so that the ICO could align to best practice. 


5.4 The Committee agreed that the report was very informative 
and thanked Louise Byers, Joanne Butler and Chris 
Braithwaite for their hard work in developing the report. 


Action: Mazars and BDO to provide guidance and best practice 
from other organisations on ESG. 


6. Risk & Opportunity Management 


6.1 Louise Byers presented the report providing an update to the 
corporate risk review which has been completed since the last 
meeting. 


6.2 It was confirmed that some of the higher scoring risks have 
mitigating actions that are influenced by external factors. 


6.3 The committee discussed possible risks in relation to 
accommodation and the current political environment. 


6.4 It was confirmed that work is currently being undertaken to 
look at the future ways of work and once that has been 
completed, an Estate Strategy will be developed and 
considered by the Management Board. 


7. Annual Report 


7.1 Louise Byers presented the update relating to the annual 
report and confirmed that we are making good progress. The 
performance and accountability sections are well developed 
and currently with the Executive Team for review. 


7.2 The Committee discussed the use of the word “adequate” in 
relation to internal audit reports as this has been 
misinterpreted in the past. It was suggested that the 
definition of the ratings is added to the report to provide 
context. 


Action: Mazars to provide the draft internal audit annual report to 
the Committee during May 2021 (target date of 15 May 2021). 


8. Finance 


Year-end financial position 


8.1 Andrew Hubert presented the year-end financial position 
report. Income has exceeded the revised Q3 budget due to 
the unexpected overperformance of the Data Protection fee 
income in the last two months of the year and the project 
expenditure had been less than forecast. 


8.2 


8.3 


8.4 


It was confirmed that the budget for 2021/22 will be regularly 
monitored and updated on a quarterly basis. 


The Committee commented that income overperformance 
may be seen as a negative in the current economic climate 
and therefore there needed to be a clear external narrative on 
the reasons for this surplus. In addition there will need to be 
a narrative on the project expenditure being deferred into 
2021/22. This was particularly important as it would need to 
be referred to within the annual report. 


The Committee also discussed the position in relation to 
income recognition for income on fee renewals where the fee 
was paid during 2020/21 but the renewal would take effect in 
2021/22. BDO confirmed that such income should usually be 
recognised in 2020/21. 


Action: External Narrative on the income to be agreed prior to the 
next meeting 


Trust Statement 


8.5 


8.6 


8.7 


Andrew Huber presented a report setting out options in 
relation to creating a trust statement for inclusion in the ICO’s 
Annual Report. He explained that the decision for an ALB to 
introduce a trust statement in their accounts required 
approval from Treasury, and Treasury would only give this 
approval no later than December in any given financial year. 
Therefore, it would not be possible to include a trust 
statement in the ICO’s 2020/21 Annual Report. 


Andrew Hubert explained that rather than producing a trust 
statement, the financial performance summary in the Annual 
Report would provide narrative information regarding the 
amount of fine income the ICO has collected during the year, 
how this had been dealt with, and the implications for this in 
relation to funding the ICO’s litigation work to support its 
regulatory activities. The target was then to produce a trust 
statement as part of the 2021/22 Annual Report. NAO 
commented that the information provided within the annual 
report and financial statements already included all of the 
information that a trust statement would provide. 


Roger Barlow noted that a reader of the Annual Report might 
find the consolidated fund difficult to understand. 


8.8 Ailsa Beaton proposed that we should develop a trust 
statement for 2021/22, as set out at Option 3 in the report. 
She commented that there did not appear to be a viable 
alternative to Option 3, as it was not possible to get Treasury 
approval to produce a trust statement for the 2020/21 Annual 
Report and Financial Statements at this stage. The 
Committee agreed with this approach. 


8.9 Roger Barlow explained that he was dissatisfied with this 
position, as he believed that it should have been possible for 
the ICO to produce a trust statement for 2020/21, given that 
the ICO had begun discussion on this with DCMS in October 
2020. He also noted that the level of fine income received 
was Clearly material to the ICO, and therefore should have 
met the test of materiality that required a trust statement to 
be produced. He also commented that he would have 
expected more support from the external auditors for the 
ICO’s position, due to this materiality for the ICO. 


Action: Andrew Hubert to provide the draft wording for the 
financial performance summary section of the Annual Report to the 
Audit Committee for review. 


Action: Andrew Hubert and Paul Arnold to discuss with DCMS and 
Treasury to ensure that the ICO receives approval to produce a 
trust statement as part of its Annual Report and Financial 
Statements in 2021/22. This is to be resolved by October 2021. 


Single Tender Awards 


8.10 The Committee noted the tender report and agreed that it 
would be useful to include the competitive nature of the 
procurement where possible in the report. 


9. Internal Audit 


9.1 Darren Jones presented the progress report and audit reports 
on recent internal audits carried out since the last meeting. 


9.2 The Committee were comfortable with the reports and were 
especially pleased to see a substantial assurance result from 
the Information Governance audit. 


10. Outstanding audit recommendations 


10.1 The Committee noted the number of recommendations which 
were currently late. It was confirmed that these actions 


should be completed prior to the follow up audit, which would 
be carried out during May 2021. 


11. Annual Internal Audit Plan 


11.1 Darren Jones presented the draft internal audit plan and 
asked the committee to approve the proposed internal audit 
plan and provide recommendations for the final two areas for 
audit. 


11.2 The Committee agreed that the Compliance Arrangements 
report, considered earlier in the meeting, had not identified 
any additional areas of weakness that required further 
external assurance. Therefore the Committee agreed to the 
proposed additional areas of Workforce Planning and 
Performance reporting and management information as 
suggested by Mazars in the report. 


12. External Audit 


12.1 David Eagles provided an update and confirmed that the 
interim audit has been undertaken as planned and they are 
making good progress on the income and expenditure testing. 


12.2 BDO have been included in discussions relating to the trust 
statements, how best to include figures within the Annual 
Report, the position on back pay, showing as an accrual 
rather than a provision, and how to deal with the excess data 
protection fee. David Eagles commented that it has been 
helpful to have the opportunity to discuss these issues at an 
early stage. 


13. Cyber Security Assurance Report 


13.1 Louise Byers presented the annual report regarding progress 
towards completion of all cyber security standards within the 
HMG’s Security Policy Framework. 


13.2 Ailsa Beaton confirmed that the report is very helpful to 
provide assurance on cyber security to DCMS. 


14. Security Report 


14.1 The Committee noted the cyber security incident trends 
report. 


15. Fraud and whistleblowing report 


15.1 There have been no incidents reported this quarter. 
16. Audit Committee Annual Work Programme 

16.1 The Committee agreed the proposed work programme. 
17. Any other business 


17.1 It was confirmed that items relating to the annual report 
which required Audit Committee review should be circulated 
to committee members at the beginning of May for review. 
This would allow the Committee to confirm to the 
Management Board that they were content with these parts of 
the report. 


